Skip to content
  • There are no suggestions because the search field is empty.

How to update a parser using Live in NetWitness

Tasks

The steps below will demonstrate how to deploy the latest version of a parser through RSA Live.


Resolution

Below are the steps to update/deploy a parser from live in case CCM is disabled:
  1. Log in to the NetWitness UI.
  2. In the menu in the upper left-hand corner of the UI, navigate to Live > Search.
  3. In the "Keywords" text box, type the parser name or part of the parser name, and then press "Search."
  4. Once the results appear, double click the parser name of your choice, as shown in the right side panel of the screenshot below.
     

    image.png

  5. A new window will be opened for the parser containing details about the parser. Click "deploy" to begin deploying the parser on your decoders.
    image.png
  6. Select the resource name and then select "Next."
     
    Step
     
  7. Select the services that you wish to deploy the parser to.
    Step
     
  8. Review the information on the review page and click "Deploy.":
     
    Step
     
  9. Watch for the deployment status and then press "Close" once it has deployed successfully.
    Step
     
  10. On the decoder, check similar logs in /var/log/messages to make sure that the parser is successfully loaded.
     
    NwLogDecoder[11691]: [Parse] [audit] User admin (session 119216, <SA_IP:58402) has started uploading file 'rsadlp.envision'
    NwLogDecoder[11691]: [Parse] [audit] User admin (session 119216, <SA_IP:58402) has finished uploading file 'rsadlp.envision'
    EPLH NwLogDecoder[11691]: [Decoder] [audit] User admin (session 499577, <SA_IP>:51866) has issued a parser reload

Notes

You may deploy multiple resources at the same time using the same interface by simply selecting all of the desired Live Content and pressing the "Deploy" button above the search results:

How to update a parser using Live in NetWitness

After choosing your desired Live Content and pressing "Deploy", you can proceed with Step 6 in the above steps. 


Product Details

NetWitness Product Set: NetWitness Logs & Network
NetWitness Product/Service Type: NetWitness Admin Server, Live, Content Management
NetWitness Version/Condition: 12.x
Platform: CentOS , AlmaLinux


Summary

How to get the latest version of a parser using RSA Live


Approval Reviewer Queue

Technical approval queue